Complex Adaptive Systems Conference David Cass, SVP & CISO...
Transcript of Complex Adaptive Systems Conference David Cass, SVP & CISO...
![Page 1: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/1.jpg)
© 2013 David Cass, Elsevier
Information Security as a Source of Innovation Complex Adaptive Systems Conference
David Cass, SVP & CISO
Elsevier Information Security & Data Protection Office
![Page 2: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/2.jpg)
© 2013 David Cass, Elsevier
Agenda
• Innovation Drivers
• What’s Changed?
• What’s Old is New Again?
• Guidelines / Framework for Innovation
• How Can Security Innovate?
![Page 3: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/3.jpg)
© 2013 David Cass, Elsevier
Some notable quotes
“If change is happening on the outside faster than on the inside
then the end is in sight.”
- Jack Welch
“If everything is under control you’re not going fast enough.”
- Mario Andretti
![Page 4: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/4.jpg)
© 2013 David Cass, Elsevier
Or What kills CISO’s?
Used to be: Failure to help the business with:
![Page 5: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/5.jpg)
© 2013 David Cass, Elsevier
3 Minute Business Case – Innovation Drivers
• Companies are very vulnerable to disruption!
• Low barrier to entry
• Disruption defined:
◦The same value delivered in different ways
• Innovation allows companies to pivot
![Page 6: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/6.jpg)
© 2013 David Cass, Elsevier
3 Minute Business Case – Examples
• iTunes vs. Tower
◦Now is iTunes vs. Pandora, Spotify etc.
• Netflix
◦Shipping DVDs
◦Streaming videos
◦Producing top shows
![Page 7: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/7.jpg)
© 2013 David Cass, Elsevier
• External Factors
◦ Emerging Markets
◦ Outsourcing
What’s Changed?
![Page 8: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/8.jpg)
© 2013 David Cass, Elsevier
• External Factors
◦ Privacy
• > 80 Countries with
Privacy Laws
• US vs. EU vs. APAC
definitions
• Opt in vs. Opt out
What’s Changed?
![Page 9: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/9.jpg)
© 2013 David Cass, Elsevier
• External Factors
◦ Law & Cyber
• HIPAA, GLBA, MA, CA…
◦ Cloud
• Fundamental change to the
way people work
What’s Changed?
![Page 10: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/10.jpg)
© 2013 David Cass, Elsevier
• External Factors
◦ Mobile Apps
◦ BYOD
What’s Changed?
![Page 11: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/11.jpg)
© 2013 David Cass, Elsevier
• External Factors
◦ Big Data
◦ Social
What’s Changed?
![Page 12: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/12.jpg)
© 2013 David Cass, Elsevier
What’s Changed?
• Internal Factors
◦ Increased need for business agility
◦Tech skills/expectations of workforce
![Page 13: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/13.jpg)
© 2013 David Cass, Elsevier
• Internal Factors
◦ Changes in IT staff core
competencies
◦ Increased focus on Risk
Management
What’s Changed?
![Page 14: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/14.jpg)
© 2013 David Cass, Elsevier
What’s Old is New Again? Key Threats
• Have multiple sources of threat intelligence
• APTs
• DDOS
• Open Source
![Page 15: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/15.jpg)
© 2013 David Cass, Elsevier
What’s Old is New Again? Key Threats
• SQL Injection
• Spear Phishing
• Insider
![Page 16: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/16.jpg)
© 2013 David Cass, Elsevier
Guidelines / Framework for Innovation
1. Build nothing from scratch
◦Research first
1. Innovate process at small scales
◦ Improves ability to deliver
◦Allow everyone to innovate
2. Share as much as you can
◦Break down silos
◦Transparency = Speed
![Page 17: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/17.jpg)
© 2013 David Cass, Elsevier
Guidelines / Framework for Innovation
4. Sell it before you make it
◦See what works
◦Get traction
◦Don’t build solutions in search of problems
5. Act Responsibly
◦Reputation
◦Say what you do and do what you say!
◦Aspirational vs. attainable
![Page 18: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/18.jpg)
© 2013 David Cass, Elsevier
How can Security Innovate?
• Understand what is the Critical Business Knowledge
• Business Transformation
• Policies, Standards, Training & Awareness
• Communications at the Board and Exec Level
• Privacy and Security by Design
![Page 19: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/19.jpg)
© 2013 David Cass, Elsevier
Innovation
• Critical Business Knowledge
◦Define it
• Is it a source of competitive advantage
• Is there a regulatory requirement
◦Define a goal
![Page 20: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/20.jpg)
© 2013 David Cass, Elsevier
Innovation
• Business Transformation
◦What is the experience we want?
◦How do we deliver what they want?
◦Transparency
![Page 21: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/21.jpg)
© 2013 David Cass, Elsevier
Innovation
• Policies & Standards
◦Right size them
◦1 page with bullet points
• Training & Awareness
◦Deliver the message in the way people consume info today
![Page 22: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/22.jpg)
© 2013 David Cass, Elsevier
Innovation
• Communications at the Board and Exec Level
◦Become a better story teller
◦Frame the conversation using FORR
• Financial
• Operational
• Reputational
• Regulatory
![Page 23: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/23.jpg)
© 2013 David Cass, Elsevier
• Practice Privacy by Design
◦ Proactive not Reactive
◦ Privacy as the Default
Setting
◦ Privacy Embedded into
Design
Innovation
![Page 24: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/24.jpg)
© 2013 David Cass, Elsevier
Innovation
• Practice Privacy by Design
◦Full Functionality
◦End-to-End Security – Full Life Cycle Protection
◦Visibility and Transparency
◦Respect for User Privacy
![Page 25: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/25.jpg)
© 2013 David Cass, Elsevier
Innovation
• Security by Design
◦Protect the data and application
◦Security Awareness Training
◦Partner with the business
• M&A process
• Cloud
![Page 26: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/26.jpg)
© 2013 David Cass, Elsevier
Innovation
• Security by Design
◦Risk & Assurance
◦Application Security COE
◦Security Architecture
◦ Incident Response
![Page 27: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/27.jpg)
© 2013 David Cass, Elsevier
Closing
• Understand the way the business works
• Apply the 5 guidelines for innovation
• Ability to maintain agility
◦Answer is not binary
• We win by accomplishing business goals
![Page 28: Complex Adaptive Systems Conference David Cass, SVP & CISO ...complexsystems.mst.edu/media/conference... · © 2013 David Cass, Elsevier Some notable quotes “If change is happening](https://reader033.fdocuments.in/reader033/viewer/2022042305/5ed09da69bb9e310b54f3a7b/html5/thumbnails/28.jpg)
© 2013 David Cass, Elsevier
Questions?
David Cass
SVP & CISO, Elsevier
E-mail: [email protected]
Twitter: @dcass001